Improper Neutralization of Special Elements in Data Query Logic Affecting flowise-components package, versions >=2.2.3 <3.1.0

flowise-components is a Flowiseai Components

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQA_Chain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force the chain to generate and run malicious Cypher by supplying crafted natural-language prompts that override the LLM instructions or embed Cypher control tokens. The vulnerable path accepts attacker-controlled input, passes it into the LLM, and executes the resulting query against the backing graph without reliably constraining it. A successful attack can delete or modify graph data and expose records returned by the database, resulting in data corruption and unintended disclosure.

Notes

• The advisory’s exploit path assumes a chatflow that wires GraphCypherQAChain to a live Neo4j graph connection and exposes the prediction endpoint; deployments that include the node but do not connect a graph backend, or do not publish /api/v1/prediction/{flowId}, do not present the same reachable surface.

Workarounds

• Restrict access to the chatflow prediction endpoint POST /api/v1/prediction/{flowId} so only trusted users can reach a Graph Cypher QA Chain flow; this prevents an attacker from sending crafted prompts that trigger Cypher injection against the connected Neo4j database.
• Remove or disable the Graph Cypher QA Chain node from any chatflow that is exposed to untrusted input; this prevents attacker-controlled prompts from reaching the graph.query execution path.

• GitHub Commit
• Maintainer's Advisory